Government: “Innocent” Megaupload user uploaded pirated music

But EFF chastises the feds for snooping through Kyle Goodwin's private files.

When the Electronic Frontier Foundation wanted to vindicate the rights of Megaupload users who used the locker site for non-infringing purposes, they put forward Kyle Goodwin. The Ohio videographer used Megaupload as a backup service, but he lost commercially valuable footage thanks to the unlucky combination of the government's January raid and a personal hard drive crash. Since May, he has been seeking the return of his files.

But the United States government is urging the court to procede slowly. In a Tuesday legal brief first covered by TorrentFreak, the government argued that Goodwin should prove that he owns the files before the court considers whether he should get them back. The feds also suggest that Goodwin might not own all the files he uploaded to the site—some of them were pirated copies of mainstream music.

But EFF's Julie Samuels argues that the government's tactics should frighten anyone who uses cloud computing services. Not only did the raid deprive Goodwin of his data, she said, but the government is now apparently rummaging through Goodwin's files looking for information to discredit him.

Not that innocent?

The government argues that the contractual agreements among Goodwin, Megaupload, and Carpathia (the firm that leased servers to Megaupload) may not actually give users a property interest in data they upload to the service.

"If mere use of the service was sufficient to create a legal ownership interest in servers leased by Megaupload from Carpathia, then there could be hundreds, if not hundreds of thousands, of 'owners' of each and every single Carpathia server," the government argues. "Such a result is absurd."

Moreover, the government questions whether Goodwin owns all the files he uploaded to Megaupload. It says it reviewed Goodwin's website and found that "numerous videos produced by Mr. Goodwin have as their soundtracks recordings of popular copyrighted music."

Even worse, the government contends that Goodwin uploaded "music files with MD5 values that matched the hash values of pirated versions of popular music" to Megaupload.

But Samuels says it's the government who has some explaining to do. "The government's approach should terrify any user or provider of cloud computer services," Samuels told Ars by e-mail. "The government apparently searched through the data it seized for one purpose, in order to use it against someone who was hurt by its actions but who is plainly not the target of any criminal investigation, much less the one against Megaupload."

Samuels told us that the government's response to Goodwin's petition demonstrates "that if users try to get their property back, the government won't hesitate to comb through it to try to find an argument to use against them."

Ira Rothken, an attorney for Megaupload, agreed. "The DOJ's action of bypassing password protection and snooping into Mr. Goodwin's Megaupload storage account data raises some customer privacy rights concerns that will need to be addressed," he told us by e-mail.

Samuels points out that similar tactics could be employed against users of more mainstream file hosting services such as Amazon S3 or iCloud. For example, if the government accidentally seized iCloud servers containing the only copy of priceless family photos, you'd need to be prepared to explain why there are pirated MP3s in your iTunes folder.

Samuels also argued that it's unreasonable to demand an ordinary user such as Goodwin to endure a grueling series of court hearings just to get his own files back. The government's position, she said, would impose a "virtually insurmountable burden" on innocent users seeking to get their files back by "asking the court to do a slow-walking, multi-step process that takes place in a faraway court. Most third parties are not in a position to attend even one court appearance, much less the multiple ones the government envisions."

Even worse, the government contends that Goodwin uploaded "music files with MD5 values that matched the hash values of pirated versions of popular music" to Megaupload.

Is there a way to tell the difference between a "pirated copy of popular music" created by, say, using LAME high quality defaults ripping from a CD, and a personal copy made with the same settings from the same CD?

I'm not sure if there's anything about encode time stored in the ID3 tags.

"If mere use of the service was sufficient to create a legal ownership interest in servers leased by Megaupload from Carpathia, then there could be hundreds, if not hundreds of thousands, of 'owners' of each and every single Carpathia server," the government argues. "Such a result is absurd."

He has a data ownership interest, not a hardware ownership interest. I use my bank, along with hundreds of thousands of others, and I damn sure still consider my money to be owned by me, although I don't think I own the vault. This argument seems like a non-sequitur to me, not to mention a disingenuous repeat of the claim some pirates use: it's just bits, what do you care?

Quote:

Moreover, the government questions whether Goodwin owns all the files he uploaded to Megaupload. It says it reviewed Goodwin's website and found that "numerous videos produced by Mr. Goodwin have as their soundtracks recordings of popular copyrighted music."

Another non-sequitur. Using copyrighted music as a soundtrack does not mean he did not get the appropriate use rights from the copyright holders. As Auslick said, Guilty until proven innocent.

Quote:

Even worse, the government contends that Goodwin uploaded "music files with MD5 values that matched the hash values of pirated versions of popular music" to Megaupload.

Popular software + popular method + popular hardware = overlapping hashes - correct? If I use the same NEC drive with the same offset, via foobar2000 at the same quality settings, can I not create a file with the same hash as someone else?

This argument holds more merit but A: does not prove anything and B: is irrelevant to releasing his own creations back to him.

Is there a way to tell the difference between a "pirated copy of popular music" created by, say, using LAME high quality defaults ripping from a CD, and a personal copy made with the same settings from the same CD?

Let's say that he did download those mp3s. Seems reasonable. How does the government know he doesn't own those CDs? I'm guessing he doesn't own those, but it's hardly a lock on the government's side of the argument. How are they any different from ones that he could have created himself if he owned the same CD? (Answer: They aren't, MD5 aside.)

Correct me if I am wrong, but I was under the impression that setting unrelated videos to popular music fell within fair use. I mean there are tons of fan-made music videos on youtube for example. How would this person's sport's videos be any different?

Even worse, the government contends that Goodwin uploaded "music files with MD5 values that matched the hash values of pirated versions of popular music" to Megaupload.

Is there a way to tell the difference between a "pirated copy of popular music" created by, say, using LAME high quality defaults ripping from a CD, and a personal copy made with the same settings from the same CD?

I'm not sure if there's anything about encode time stored in the ID3 tags.

The odds that he'd be using the same software and settings as whatever version is commonly available through illegitimate channels aren't necessarily that high. And that's assuming there aren't other factors going into the hash (like hardware).

Plus, there's the possibility that the files in question have ID3 tags giving them away as pirated (such as the "ripped by" tags that are not uncommon).

I'd be curious to know how they came to their conclusion, though.

Quote:

Another non-sequitur. Using copyrighted music as a soundtrack does not mean he did not get the appropriate use rights from the copyright holders. As Auslick said, Guilty until proven innocent.

Even more damning, Mr. Goodwin has no alibi for November 22, 1963. He also claims to have no connection to the September Eleventh jihadists, but has not provided the Government with proof of this statement.

Sounds like unreasonable search and seizure and violation of his due process rights.

For instance, you can't pull someone over just because you don't like them, and then search the trunk of their car looking for reason that they did something wrong. Even if you did find something, it would be thrown out of the court because it was evidence obtained illegally.

Such a situation should be a direct analogy to this one.

That is, of course, leaving aside any questions of whether the music files were "pirated" (which we can't possibly know), and the government's arguments regarding ownership of the data in general, which was soundly addressed by Tom Brokaw, above.

Is there a way to tell the difference between a "pirated copy of popular music" created by, say, using LAME high quality defaults ripping from a CD, and a personal copy made with the same settings from the same CD?

Let's say that he did download those mp3s. Seems reasonable. How does the government know he doesn't own those CDs? I'm guessing he doesn't own those, but it's hardly a lock on the government's side of the argument. How are they any different from ones that he could have created himself if he owned the same CD? (Answer: They aren't, MD5 aside.)

Legally, is downloading a copy from an unauthorized distributor allowed simply because you own the disc?

Correct me if I am wrong, but I was under the impression that setting unrelated videos to popular music fell within fair use. I mean there are tons of fan-made music videos on youtube for example. How would this person's sport's videos be any different?

IANAL, but I'm pretty sure you can't argue fair use when you are creating videos commercially.

Is there a way to tell the difference between a "pirated copy of popular music" created by, say, using LAME high quality defaults ripping from a CD, and a personal copy made with the same settings from the same CD?

Let's say that he did download those mp3s. Seems reasonable. How does the government know he doesn't own those CDs? I'm guessing he doesn't own those, but it's hardly a lock on the government's side of the argument. How are they any different from ones that he could have created himself if he owned the same CD? (Answer: They aren't, MD5 aside.)

Legally, is downloading a copy from an unauthorized distributor allowed simply because you own the disc?

The government's whole case against MegaUpload is that their business model is facilitating the illegal sharing of copyrighted content. This user says that he wants his data back, but some of his data is possibly pirated material. It seems to be dead in line with the gov's arguments.

fishsandwich wrote:

Correct me if I am wrong, but I was under the impression that setting unrelated videos to popular music fell within fair use. I mean there are tons of fan-made music videos on youtube for example. How would this person's sport's videos be any different?

No, it's not fair use. YouTube does various things ranging from deleting the video, to running ads on the page and giving the revenue to the copyright holder and all sorts of things in between.

Sounds like unreasonable search and seizure and violation of his due process rights.

For instance, you can't pull someone over just because you don't like them, and then search the trunk of their car looking for reason that they did something wrong. Even if you did find something, it would be thrown out of the court because it was evidence obtained illegally.

Such a situation should be a direct analogy to this one.

Except for the part where it's (argubably) not his car. And the "car" in question was impounded because the owner (allegedtly) commited crimes with it.

Even worse, the government contends that Goodwin uploaded "music files with MD5 values that matched the hash values of pirated versions of popular music" to Megaupload.

Is there a way to tell the difference between a "pirated copy of popular music" created by, say, using LAME high quality defaults ripping from a CD, and a personal copy made with the same settings from the same CD?

I'm not sure if there's anything about encode time stored in the ID3 tags.

Well no, but if he's like a lot of users with dozens of albums of music, and ALL of them match ones found on file-sharing sites, its EXTREMELY unlikely he just happened to somehow get files with the same hashes. Either way though, it doesn't matter because the government shouldn't be going through those files anyways.

Legally, is downloading a copy from an unauthorized distributor allowed simply because you own the disc?

I don't think this is the case, but I'm curious.

So far as I know, it is, and has been for a long time.

I'm thinking something more along the lines of a citation, not just you saying so. Not being argumentative, just saying that I'm looking for a more definitive answer than that. Maybe I'll look it up myself when I have a bit more time, though.

Is there a way to tell the difference between a "pirated copy of popular music" created by, say, using LAME high quality defaults ripping from a CD, and a personal copy made with the same settings from the same CD?

Regardless, ripping CD is not legal, even for you own use.

You are allowed to make backup copies upon receipt and unwrapping of said physical medium in accordance to local laws and/or agreements set forth by the publisher/manufacturer/distributer of said physical medium. Note, that allowance is contextual and differs from individual to individual based on their circumstances, locality and time. So you are incorrect with your one-line blanket statement.

Sounds like unreasonable search and seizure and violation of his due process rights.

For instance, you can't pull someone over just because you don't like them, and then search the trunk of their car looking for reason that they did something wrong. Even if you did find something, it would be thrown out of the court because it was evidence obtained illegally.

Such a situation should be a direct analogy to this one.

Except for the part where it's (argubably) not his car. And the "car" in question was impounded because the owner (allegedtly) commited crimes with it.

Be careful when you use the phrase "direct analogy."

Except he hasn't allegedly committed any crimes outside of potential piracy which was found by seizing property unrelated to this. If I were to try my hand at a car metaphor, it would be that he was using a rental car, but then rental company was found to be operating illegally so his rental car was seized for that purpose, then searched for anything to stop him from suing for his reimbursement or similar.

Sounds like unreasonable search and seizure and violation of his due process rights.

For instance, you can't pull someone over just because you don't like them, and then search the trunk of their car looking for reason that they did something wrong. Even if you did find something, it would be thrown out of the court because it was evidence obtained illegally.

Such a situation should be a direct analogy to this one.

Except for the part where it's (argubably) not his car. And the "car" in question was impounded because the owner (allegedtly) commited crimes with it.

Be careful when you use the phrase "direct analogy."

Fair point.

How about if they pulled over and arrested a mail truck driver (for whatever reason), and impounded the truck for an ongoing investigation. And then say they had reason to believe that many people were using the mail for drug running, and knew that this particular truck and driver was the carrier.

But, the mail is used by many people for legitimate business as well. Like Kyle Goodwin, who was using it for his business. Perhaps he was sending demo reels for prospective business deals this way. And because they intercepted the mail, he missed a deadline and lost a major deal that he was counting on to pay his salary that year.

Now, he's lobbying to get it back, but the government decided that it would open up his mail and discovered that he had burned copies of CDs and DVDs with commercial music tracks. They decided these are probably pirated and refuse.

It's illegal to open someone else's mail, because regardless of who is carrying it, ownership is still assigned to the recipient. When dealing with data stored on a third-party server, unless the ToS state otherwise, ownership of said data still is assigned to the uploader.

It is a federal crime to intercept and open someone else's mail, regardless of who's carrying it. I believe that this principle should apply here, as well.

I also think it still applies that they illegally obtained personal effects in order to retroactively justify the search and seizure of his data. It still remains a violation of his 4th Amendment and 5th Amendment rights.

Even worse, the government contends that Goodwin uploaded "music files with MD5 values that matched the hash values of pirated versions of popular music" to Megaupload.

Is there a way to tell the difference between a "pirated copy of popular music" created by, say, using LAME high quality defaults ripping from a CD, and a personal copy made with the same settings from the same CD?

I'm not sure if there's anything about encode time stored in the ID3 tags.

I suppose it's theoretically possible that two completely independently produced MP3 files would have the have the same MD5 hash but it's highly unlikely. They would have needed to use the exact same encoder, version, settings and same code path. They also would need to have exactly the same ID3 information on the file. The slightest difference in ANYTHING related to the file would result in a different hash.

One thing to keep in mind is that while an audio cd is digital it doesn't actually have enough error correction to ensure that there are no errors when reading the disk. The ecc actually just wants to make sure you don't hear pops or other audible noises so an uncompressed rip from two different cd's could be different or even rips from the same cd in different cd players could be different.

I MIGHT be able to prove this is theoretically possible but I'd consider the odds of it happening in the wild to be pretty slim. If the hash is the same either he is the original source for the pirated file being passed around or he downloaded the file.

Correct me if I am wrong, but I was under the impression that setting unrelated videos to popular music fell within fair use. I mean there are tons of fan-made music videos on youtube for example. How would this person's sport's videos be any different?

No, it's not fair use. YouTube does various things ranging from deleting the video, to running ads on the page and giving the revenue to the copyright holder and all sorts of things in between.

It also depends on the copyright owner. Some owners are more touchy about this than others; I know several music labels go after users for just using the music to overlay into their videos, while some bands who retain the rights to their music allow it to be shared freely, and actively encourage this exact sort of use. IANAL, but as I recall, while this sort of use IS fair use, there's a certain standard to the work you have to get to to make it fair use, and the standard includes the fact that said work using the copyrighted bit has to be for personal, not-for-profit use, otherwise you need to get permission (and usually pay a licensing fee of some kind).

If someone rips a CD they legally own to make an MP3 for personal use, and uses a popular MP3 encoding program with its default parameters, it will probably have an MD5 match with a file-shared version of the same song. Even the RIAA's website admits that such use is legal.

Even worse, the government contends that Goodwin uploaded "music files with MD5 values that matched the hash values of pirated versions of popular music" to Megaupload.

Is there a way to tell the difference between a "pirated copy of popular music" created by, say, using LAME high quality defaults ripping from a CD, and a personal copy made with the same settings from the same CD?

I'm not sure if there's anything about encode time stored in the ID3 tags.

From what I've been told, it's basically impossible to reproduce the exact same file, bit for bit, by the time you get through the ripping and encoding process.

Sounds like unreasonable search and seizure and violation of his due process rights.

For instance, you can't pull someone over just because you don't like them, and then search the trunk of their car looking for reason that they did something wrong. Even if you did find something, it would be thrown out of the court because it was evidence obtained illegally.

Such a situation should be a direct analogy to this one.

Except for the part where it's (argubably) not his car. And the "car" in question was impounded because the owner (allegedtly) commited crimes with it.

Be careful when you use the phrase "direct analogy."

If you want to be picky, it's more like MU was running a storage and delivery service out of rented warehouse space. The government's argument is that, among other things, MU's services were used for illegal DVDs and albums, and MU both knew and directly facilitated this. The government then not only confiscated all items in MU's rented space, most of which have nothing to do with the case, but wanted to destroy them.

Of course, if this had been a case with real property, the 3rd parties that were using the space legally would have every right to get their possessions returned. The legal issues of the company storing the items has no barring whatsoever.

I MIGHT be able to prove this is theoretically possible but I'd consider the odds of it happening in the wild to be pretty slim. If the hash is the same either he is the original source for the pirated file being passed around or he downloaded the file.

Just rip two copies of the same audio track and see if they come out byte-identical - even before encoding to MP3. My bet is they won't. Even one sample of difference should break a hash.

Correct me if I am wrong, but I was under the impression that setting unrelated videos to popular music fell within fair use. I mean there are tons of fan-made music videos on youtube for example. How would this person's sport's videos be any different?

It's fair use only if you legally obtained the music in the first place.

Is the search warrant for the seizure and imaging of the Carpathia servers out there? I'm betting it's broad in scope and allows them to look at every file on the server, so any complaint about unreasonable search is probably moot. It's my problem with most search and seizure laws - all they need is one hanging judge to issue a warrant and they can take anything you own and it's incredibly hard to get it back. While there is a motivating interest to seize a pile of cocaine or funds being bounced to a hitman and not return them, there is simply no appropriate protection to arbitrary seizures.

Even worse, the government contends that Goodwin uploaded "music files with MD5 values that matched the hash values of pirated versions of popular music" to Megaupload.

Is there a way to tell the difference between a "pirated copy of popular music" created by, say, using LAME high quality defaults ripping from a CD, and a personal copy made with the same settings from the same CD?

I'm not sure if there's anything about encode time stored in the ID3 tags.

From what I've been told, it's basically impossible to reproduce the exact same file, bit for bit, by the time you get through the ripping and encoding process.

Told by whom, though? On what circumstances did they base this assumption? I mean, I am no expert, but it seems reasonable to me that using default settings to rip a CD and using publicly available info to automatically populate the metadata has a much greater than zero chance of creating a file that would generate the same MD5 hash. If there is evidence to the contrary then anyone making the argument needs to produce that. Presumption of innocence, remember?

And friends think it's over the top to keep everything encrypted? This case proves that the government will milk every loophole to get what they want with no concern for the public. Some of you may say, "Well, duh" but I had hoped that the whole "innocent until proven guilty" and "unlawful search and seizure" would have played any part in these proceedings.

I was watching a presentation by a lawyer who said that the Fifth Amendment exists to protect the innocent, not the guilty. I use encryption for the same reason. AFAIK, you are not, at least for now, required to give your password. Which would mean the government couldn't prove anything. So, in theory, they would have no way to say I have done/possess something illegal.

The government's whole case against MegaUpload is that their business model is facilitating the illegal sharing of copyrighted content. This user says that he wants his data back, but some of his data is possibly pirated material. It seems to be dead in line with the gov's arguments.

So because the government claims some of his data possibly contains copyrighted material he loses his rights to all data? You seriously don't find anything wrong with this? Even if they actually proved that he infringed others' copyrights, why would he lose his access to the other data?

But Samuels says it's the government who has some explaining to do. "The government's approach should terrify any user or provider of cloud computer services," Samuels told Ars by e-mail. "The government apparently searched through the data it seized for one purpose, in order to use it against someone who was hurt by its actions but who is plainly not the target of any criminal investigation, much less the one against Megaupload."

Yes, it should. This, and some other issues. should scare people off cloud storage for anything that's important to them.

It makes me a bit nervous about my Nook library: Even though I doubt I'll ever read any of those books again I would like to be able to get to them. And it makes me very nervous about storing any data I own on the cloud, especially profitable data (music and video).

If someone rips a CD they legally own to make an MP3 for personal use, and uses a popular MP3 encoding program with its default parameters, it will probably have an MD5 match with a file-shared version of the same song.

No it won't. The ripping process used to pull PCM data off of CD's is not perfect at all, since audio CD's were not intended to be used as data storage devices. Even small differences in the timing of the servos and other electronics in the drive will cause different PCM files. Add to that the fact that the audio bitstream has no real synchronization or error correction (basically, the data coming out is the same as what goes to the d/a decoder), and you get a lot of variation in what the bitstream can contain.

I have ripped many CD's, back before iTunes was a thing, and I had to re-rip tracks fairly regularly because of dropouts or skips in the final audio file. If there are audible differences between two rips on the same drive, there will definitely be differences in a final, encoded MP3 file.

Timothy B. Lee / Timothy covers tech policy for Ars, with a particular focus on patent and copyright law, privacy, free speech, and open government. His writing has appeared in Slate, Reason, Wired, and the New York Times.